Thursday, November 29, 2012

The Email That Hacks You: Securing the Home Network

I’ve written about this before, but a report this week on yet another way to
exploit unsuspecting home Internet users seemed like a good excuse to update my
blog.A security researcher at Acunetix wrote
this week about a simple way he found to hack some common home WiFi
routers. He based his research on the fact that many email programs will
automatically download and display embedded email. Most programs can be
configured to not do this, and I can’t knock the convenience of not having to
expressly download images to see what someone I know and trust sent. But this
behavior can be abused: in his research, instead of embedding the location of
an image file in his email, he embedded a link to his home router, crafted to
log in with the default password and issue some commands. As far as the email
client knew, it was an image, so it tried to load the link. As far as the
router knew, the mail client was a legitimate user, supplying the legitimate
password, and so it let the command go through.What I wrote 2 years ago is still a pretty good foundation. I look at home
security as having 4 legs: installing the latest software patches; a firewall to
keep bad stuff from coming in; a web filter to keep from getting to bad stuff;
and an antivirus program to deal with the bad stuff that will (not might) get
through. To that I would add one more: lock the door (in other words, be
intelligent in the use of passwords, and never leave the default password on
anything of value).Windows and Mac OS both have an auto-update feature that will automatically
install any patches and software updates for the operating system (and in the
case of Windows, for Microsoft products such as Internet Explorer and Office).
Ditto for iPhone iOS and Android. Other products have similar features - just
make sure they are turned on. Some of the more common products you may have
that need to be updated regularly are Firefox, Chrome, iTunes, Adobe Reader,
Adobe Flash, and Java. Patches frequently fix bugs that attackers exploit to do
things with a computer that you did not intend. Some of the more famous virus
and worm events could have been prevented by simply installing patches
already available from the vendors.If you have a wireless network (also known as a wireless router or wireless
access point), it almost certainly has a built-in firewall. If not, Windows has
a built-in firewall that you can turn on by going to the control panel and
opening the "Windows Security Center" panel. More and more entertainment
devices are becoming Internet-aware, though (tablet PCs, game consoles such as
the Wii or Playstation; set-top boxes such as Roku or Tivo; Blu-Ray players, and
now even televisions themselves). If these devices are connected straight to
the Internet, they can become targets for hackers. If at all possible, they
should be connected through either a wireless router, or through a hard-wired
router that has a built-in firewall. Oh, and on the topic of wireless networks,
make sure the wireless
access itself is secure! The above attack relies on the home router having the vendor’s default
password. Simply changing that password to something not easily guessed would
thwart that particular attack. Some routers add a second layer of security in
the form of a “captcha,” or additional (sometimes hard-to-read) text it displays
for you to type back in. As simple and silly as that seems, the human brain is
so far much better at pattern recognition than any electronic device.A web filter is commonly found on library and school computers, and
frequently on corporate networks as well. It is intended to prevent access to
inappropriate content, but in many cases will also prevent access to sites known
to host malware. K9 Web Protection offers a
free web filter for use on personal computers - I run it on every system in my
home. For mobile devices, I have found Norton Family to be pretty
useful. The free version is good basic web filtering, and for $50 per year it
adds monitoring of SMS/text messaging, apps, and video downloads. It prevents
me and my family from accidentally stumbling into things we don't want to see,
but it has also dramatically cut the amount of malware we see on our
computers.I also started using a tool called “OpenDNS” as one more layer of web
filtering. DNS, or Domain Name Resolution, is how your computer knows that
www.google.com is actually “74.125.224.242.” It happens silently in the
background and is usually ignored unless it stops working. Most routers can
either accept the default DNS server provided by your Internet provider, or take
a specific DNS server you provide. OpenDNS
FamilyShield is a free service that simply doesn’t resolve website addresses
that go to known “adult” content (more accurately, it resolves such websites to
a benign address that says “you can’t go there.”) It’s not perfect, but it’s
one layer in the chain, and it is completely transparent.Next, run an antivirus program on your computer (even a Mac - Apple has a
reputation for not having malware problems, but it is not necessarily true.
There are viruses and worms on Macs and iPads, and they are gaining popularity
among hackers). Microsoft's free Security
Essentials is pretty good, and you can't beat free. On the subject, pay
attention to the antivirus program you have installed, and know what it looks
like - a common malware theme the past few years is to pretend
to be a new antivirus program that has detected malicious software on your
PC.Lastly, use common sense with passwords. Don’t use the same password for
every site – and especially don’t use the same password for sites that deal with
anything you consider sensitive (such as financial institutions, medical
providers, email, Facebook – what someone considers sensitive may vary from
person to person!). I personally have one low-security password I use for sites that don’t matter
to me, and use a password management program to keep track of more secure,
unique passwords for sites I do care about. There are lots to choose from; I
like LastPass because it is free for PC
use – but there is a paid version that adds support for mobile devices.These are only the the bare minimums, but are a solid foundation for a secure
home network. Some places to go for more education:

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen